Windows Analysis Report
avp.msi

Overview

General Information

Sample name: avp.msi
Analysis ID: 1428527
MD5: 4d81be09c23e02fab7364e508c21c111
SHA1: 52cae521d7a808c8206f4b5afd6b037bc573b50e
SHA256: dcae57ec4b69236146f744c143c42cc8bdac9da6e991904e6dbf67ec1179286a
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
PE file has a writeable .text section
Checks for available system drives (often done to infect USB drives)
Creates files inside the system directory
Deletes files inside the Windows folder
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: http://85.239.53.219/api/gateway Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\sharepoint\forcedelctl.dll ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\sharepoint\forcedelctl.dll Virustotal: Detection: 49% Perma Link
Multi AV Scanner detection for submitted file
Source: avp.msi ReversingLabs: Detection: 15%
Source: avp.msi Virustotal: Detection: 23% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\sharepoint\forcedelctl.dll Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2052098 ET TROJAN Win32/SSLoad Registration Activity (POST) 192.168.2.4:49731 -> 85.239.53.219:80
Source: Traffic Snort IDS: 2052169 ET TROJAN Win32/SSLoad Registration Response 85.239.53.219:80 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2052099 ET TROJAN Win32/SSLoad Tasking Request (POST) 192.168.2.4:49731 -> 85.239.53.219:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 85.239.53.219 85.239.53.219
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RAINBOW-HKRainbownetworklimitedHK RAINBOW-HKRainbownetworklimitedHK
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.ipify.org
Source: global traffic HTTP traffic detected: POST /api/gateway HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonReferer: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 169Host: 85.239.53.219
Source: global traffic HTTP traffic detected: POST /api/7f841ea3-c875-6dfd-678b-29dc794014c1/tasks HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonReferer: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 0Host: 85.239.53.219
Source: global traffic HTTP traffic detected: POST /api/7f841ea3-c875-6dfd-678b-29dc794014c1/tasks HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonReferer: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 0Host: 85.239.53.219
Source: global traffic HTTP traffic detected: POST /api/7f841ea3-c875-6dfd-678b-29dc794014c1/tasks HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonReferer: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 0Host: 85.239.53.219
Source: global traffic HTTP traffic detected: POST /api/7f841ea3-c875-6dfd-678b-29dc794014c1/tasks HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonReferer: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 0Host: 85.239.53.219
Source: global traffic HTTP traffic detected: POST /api/7f841ea3-c875-6dfd-678b-29dc794014c1/tasks HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonReferer: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 0Host: 85.239.53.219
Source: global traffic HTTP traffic detected: POST /api/7f841ea3-c875-6dfd-678b-29dc794014c1/tasks HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonReferer: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 0Host: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.53.219
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.ipify.org
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: unknown HTTP traffic detected: POST /api/gateway HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonReferer: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 169Host: 85.239.53.219
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://t2.symcb.com0
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://tl.symcd.com0&
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: https://www.advancedinstaller.com
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr String found in binary or memory: https://www.thawte.com/repository0W
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary
barindex
PE file has a writeable .text section
Source: forcedelctl.dll.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\651cf2.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1DEC.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1E99.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{52EF198D-0C6C-406A-803F-F86D93DD7930} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1F37.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI1DEC.tmp Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\MSI1B7B.tmp 426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\MSI1C09.tmp 426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
Sample file is different than original file name gathered from version info
Source: avp.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs avp.msi
Source: classification engine Classification label: mal80.winMSI@6/19@1/2
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CML1F73.tmp Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\yfdfromkrrgw
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI1B7B.tmp Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload Jump to behavior
Source: avp.msi ReversingLabs: Detection: 15%
Source: avp.msi Virustotal: Detection: 23%
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\avp.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C10F74E54A153762865D83F4FD97627E C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E8F250EF0BB0858F7D9FA6A616305218
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C10F74E54A153762865D83F4FD97627E C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E8F250EF0BB0858F7D9FA6A616305218 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: avp.msi Static file information: File size 1427968 > 1048576
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: avp.msi, MSI1DEC.tmp.1.dr, MSI1C29.tmp.0.dr, MSI1C9A.tmp.0.dr, MSI1E99.tmp.1.dr, MSI1B7B.tmp.0.dr, MSI1C09.tmp.0.dr, MSI1C6A.tmp.0.dr, 651cf2.msi.1.dr, MSI1C4A.tmp.0.dr
PE file contains an invalid checksum
Source: forcedelctl.dll.1.dr Static PE information: real checksum: 0x8629a should be: 0xf0c20
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI1C9A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI1C29.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1DEC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1E99.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI1C09.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\sharepoint\forcedelctl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI1C4A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI1B7B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI1C6A.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1DEC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1E99.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI1C9A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI1C29.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI1DEC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI1E99.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI1C09.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\forcedelctl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI1C4A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI1B7B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI1C6A.tmp Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3804 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428527 Sample: avp.msi Startdate: 19/04/2024 Architecture: WINDOWS Score: 80 31 api.ipify.org 2->31 37 Snort IDS alert for network traffic 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 3 other signatures 2->43 7 msiexec.exe 9 2->7         started        10 msiexec.exe 17 29 2->10         started        signatures3 process4 file5 17 C:\Users\user\AppData\Local\...\MSI1C9A.tmp, PE32 7->17 dropped 19 C:\Users\user\AppData\Local\...\MSI1C6A.tmp, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\MSI1C4A.tmp, PE32 7->21 dropped 29 3 other malicious files 7->29 dropped 23 C:\Windows\Installer\MSI1E99.tmp, PE32 10->23 dropped 25 C:\Windows\Installer\MSI1DEC.tmp, PE32 10->25 dropped 27 C:\Users\user\AppData\...\forcedelctl.dll, PE32 10->27 dropped 12 msiexec.exe 2 10->12         started        15 msiexec.exe 10->15         started        process6 dnsIp7 33 85.239.53.219, 49731, 80 RAINBOW-HKRainbownetworklimitedHK Russian Federation 12->33 35 api.ipify.org 104.26.12.205, 443, 49730 CLOUDFLARENETUS United States 12->35
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
85.239.53.219
 unknown Russian Federation
134121 RAINBOW-HKRainbownetworklimitedHK true

Contacted Domains

Name IP Active
api.ipify.org 104.26.12.205 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    http://85.239.53.219/api/gateway true unknown
    http://85.239.53.219/api/7f841ea3-c875-6dfd-678b-29dc794014c1/tasks true
      		unknown